I've not examined the system for several years (I'm just a happy user now, not and admin), but at least at one time SecurID would accept the current code (of course),one code behind or one ahead for a total window of 3 minutes as Roger notes.
If the gadget's clock had drifted to more than one minute off, and you were TWO codes ahead or behind, the system would additionally prompt for the NEXT code displayed to make sure you were you, and it would update the stored time offset for your gadget. Pretty slick system. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 10:01 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security Actually, you've got the system down correctly. However, the slack time is +/- 1 minute, so you really get 3 minutes per code. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 10:29 AM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > Forgive me for arguing, but I believe the time alloted for > guessing that > third factor is even less than indicated below. Of course, > by token, I am > referring to what RSA calls a "keyfob." Is that what you are > referring to > as well? > > Here is what I understand to be the process, from reading the > manuals we > have: > 1. Upon issuance to the user, you synch the token/keyfob > with the the RSA > server DB. > 2. A 6-digit code displays for 1 minute on the token. > 3. If used for authentication within that 1 minute period, it is > "time-stamped" as to when you entered the Passcode (PIN + > code) and has an > additional 1 minute latency period. Meaning that if you > dial-up and enter > your passcode, 30-seconds into the code, you have 1:30 to > connect to the > dial-up server and be authenticated. > 4. If you enter the same code after the display has rolled > over however, > that code is no longer valid, as the timestamp when you > entered it will no > longer match with the timestamp on the server for when that > code was valid. > > So the short version is that if you enter the code while it's > displaying on > the token, it's good for 1 minute with a 1 minute latency > period. If you > don't enter the number while it's viewable, then you've > missed your window > of opportunity, because it was only good for one minute. Oh > and BTW...if > you are trying to guess the code and miss it three times, > regardless of > length of time between guesses, it will lock your token until > an admin can > reset it. > > That's how I understand the process. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 5:44 AM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > It doesn't stop key logging per se, but it renders it ineffective. > > The SecurID tokens use a three factor[1] authentication > system, in which the > third piece is a 6 digit, one time use code. That code is > good for exactly 3 > minutes, and once used cannot be used again. > > Therefore, logging the authentication process is useless, as > you'll only get > 2 of the 3 factors, and for the third factor, you have a 1 in > 1,000,000 > chance, reset every three minutes, to guess that last part. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > [1] They call it 2 factor, but you need a username, a PIN, > and the securID > token number to log in - that's either 3 or 11, depending on > how much of a > geek you are. > > :::: snip :::: > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
